[ On Friday, May 14, 2004 at 12:31:45 (-0700), Marc Tooley wrote: ]
> Subject: Re: adding gpg to src/gnu/dist
>
> I think this is a misinterpretation of what the original poster meant,
> and you're spinning it to make it look like he said something he
> didn't. It seems to me that since everyone else uses GPG as a method of
> signed distribution of code, advisories, and so forth, "sticking with
> it" would better be interpreted in the broad sense that he's suggesting
> we not impose non-standard ssl-based distribution on users who are
> already familiar with, and actively using, GPG.
Indeed, though for many reasons, not the least of which is the GPL, I
personally would s/GPG/PGPi/g :-)
(Also, GPG has appeared far too often on BUGTRAQ, though maybe that's a
good thing.... :-)
(though the PGPi command-line interface is still just about as bad :-)
The point also is that there's already the beginnings of a web of trust,
and I think it's relatively _much_ easier for new users to truly trust
existing PGP keys than it is to knowingly trust a stand-alone "NetBSD-CA".
I think hierarchical CAs are pretty much useless (for all purposes,
including signing software) since they rely on users being told who to
trust instead of allowing them to discover the web of trust that grows
from those people they already know and really trust in real life. For
NetBSD it's even worse once you get one level removed from the existing
NetBSD community since there's no really good pre-existing societal
reason for anyone to trust the NetBSD-CA (i.e. not in the same way that
a Canadian, for example, might trust the Canada Post CA; or why anyone
might trust Verisign or some other company who's profit-making ability
rests on their ability to be perceived as trustworthy, etc.).
--
Greg A. Woods
+1 416 218-0098 VE3TCP RoboHack <woods@robohack.ca>
Planix, Inc. <woods@planix.com> Secrets of the Weird <woods@weird.com>